Eliminating SQL Injection the Contrast Way

SQL Injection is one of the most serious application security problems. The vulnerability exists anytime a developer takes untrusted data (like something you submit in a URL or a web form) and concatenates it into a database query.  The outcome is that the attacker can change the meaning of the query and steal data or corrupt your database.

Scanning and penetration testing can be used to detect SQL injection problems, but they're terribly error prone and are likely to miss many instances.  Static analysis and code review can also be used, but they are difficult and time consuming.

Contrast searches out these vulnerabilities a different way. The Contrast Engine watches all the methods in your application that might be involved in a SQL injection flaw. Then as your application runs, Contrast identifies any time untrusted data reaches a SQL query. It's like putting a tracing beacon on the untrusted data as it flows through your application.

In Java there are only a few calls that can be used to communicate with a database:

• Statement.execute*
• Statement.addBatch
• Connection.prepare*

So Contrast watches these methods for any untrusted data. If any untrusted data shows up, Contrast reports a full trace of this SQL injection vulnerability back to the Contrast TeamServer. The trace includes all the steps in the vulnerability - including the actual data, the exact lines of code for each step, and the full HTTP request for replay and testing.

This approach has several advantages.  It's doesn't require any appsec expertise to set up or use. Installation and use are both incredibly fast.  And, it's far more accurate than those other techniques. Give it a try and you'll never think of application security tools the same way again!